freeradius and cisco hidden share

John Baker johnnyb at marlboro.edu
Mon Apr 9 18:14:41 CEST 2007 

Hello

 I'm certain was using the right command. The number 7 in the line tells 
the router that a hidden key will follow.

coltrane(config)#radius-server key ?
  0     Specifies an UNENCRYPTED key will follow
  7     Specifies HIDDEN key will follow
  LINE  The UNENCRYPTED (cleartext) shared key

Now at this point I actually got it to work. It turned out that in 
trying to copy the extremely long number from the old config there was 
an error.

But I still don't know exactly what it is doing so I'm hoping somebody 
can explain because I may want to change the key at some point.

On the router end the key is configured with radius-server key 7 
"54-character-key"

On the radius server in clients.conf this client's secret = 
"totally-different-26-character-key"

Initially I thought that one side or the other would be like /etc/shadow 
passwords or the garbled string you see looking at a enable secret 
password in the cisco conf. That would account for them appearing 
totally different. But just copying the old configuration straight works 
so I guess not.

Alan DeKok wrote:
> John Baker wrote:
>   
>> The setup works fine if I use a password like "testing123" on both ends. 
>> But when I use "radius-server key 7" to encrypt it breaks.
>>     
>
>   As in... what happens?
>
>   
>>  The current 
>> setup does use this so I know it works. But in all the documentation 
>> I've been weeding** through** on configuring clients.conf nothing seems 
>> to mention how this kind of encryption works on the Free Radius server end.
>>     
>
>   See RFC 2865... if you really care about it.  But trust me, FreeRADIUS
> works.
>
>   
>> The router insists on extremely long key for this configuration. The 
>> 3640 shows one in the config. But client.conf show a much shorter one.
>>
>> When I try to plug the long one in clients.conf freeradius fails to startup.
>>     
>
>   Could you say what error it produces?
>
>   The comments in clients.conf indicate that the shared secret can be no
> more than 31 characters long.  In 2.0, this restriction is removed.
>
>   
>> So how do you configure freeradius for a Cisco hidden password?
>>     
>
>   No idea.  The Cisco "hidden password" thing isn't well documented.
> i.e. The Cisco docs tell you that you can enable hidden passwords, but
> don't say what that means.
>
>   And if you look for "hidden password" in:
>
> http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455a5f.html
>
>   It looks to me like you're using the wrong command.  "radius server
> key" sets the shared secret to the following text, which in your case is
> "7".  If you want hidden passwords, it looks like you have to use
> another command.
>
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   


-- 
John Baker
Network Systems Administrator
Marlboro College
Phone: 451-7551 off campus; 551 on campus

More information about the Freeradius-Users mailing list